Hi, Please suggest if our understanding is correct for the below scenario. We had doubt regarding behavior of Responder during initial tunnel setup where IKE_AUTH request's proposal substructure(in SA Payload) does not contain SPI for child-sa creation. >From RFC 5996 : 3.3.1<http://tools.ietf.org/search/rfc5996#section-3.3.1>. Proposal Substructure 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 (last) or 2 | RESERVED | Proposal Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Proposal Num | Protocol ID | SPI Size |Num Transforms| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ SPI (variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <Transforms> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If the above header in IKE_AUTH REQ from the Initiator, contains "SPI Size" as zero and SPI is not present, what should be the behavior of responder. In our opinion it should return "INVALID_SYNTAX" in the notify payload of the IKE_AUTH Response with no other payload present in it. Below is RFC reference. Again, from the RFC 5996 : 3.10.1<http://tools.ietf.org/search/rfc5996#section-3.10.1>. Notify Message Types <snip> INVALID_SYNTAX 7 Indicates the IKE message that was received was invalid because some type, length, or value was out of range or because the request was rejected for policy reasons. <snip> Thanks Navneet
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
